include "../../MachO.yara"

rule malware_macos_apt_sofacy_xagent
{
    meta:
        description = "sofacy xagent for macOS"
        reference_1 = "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/"
        reference_2 = "https://blog.malwarebytes.com/cybercrime/2017/03/two-new-mac-backdoors-discovered/"
        author = "@mimeframe"
        md5 = "4fe4b9560e99e33dabca553e2eeee510"
    strings:
        // malware commands
        $a1 = "remoteShell" ascii wide
        $a2 = "getInfoOSX" ascii wide
        $a3 = "ftpUpload" ascii wide
        $a4 = "startUploading" ascii wide
        $a5 = "deleteFile:"  ascii wide
        $a6 = "executeShellCommand" ascii wide
        $a7 = "getFirefoxPassword" ascii wide
        $a8 = "generateRandomPathAndName" ascii wide
        $a9 = "createCryptPacket" ascii wide
        $a10 = "CameraShot" ascii wide
        $a11 = "7Cryptor" ascii wide
        $a12 = "8ICryptor" ascii wide
        $a13 = "Keylogger" ascii wide
        $a14 = "BootXLoader" ascii wide
        $a15 = "InjectApp" ascii wide
        // unique malware strings
        $b1 = "/Project/XAgentOSX/" ascii wide
        $b2 = "XLoader_OSX" fullword ascii wide
        $b3 = "<span class='keylog_user_keys'>" ascii wide
        $b4 = "<span class='keylog_process'>" ascii wide
        $b5 = "<span class='keylog_spec_key'>" ascii wide
        $b6 = "<font size=4 color=red><pre>Stop take screenshot</pre></font>" ascii wide
        // c2 domains
        $c1 = "http://23.227.196.215/" ascii wide
        $c2 = "http://apple-iclods.org/" ascii wide
        $c3 = "http://apple-checker.org/" ascii wide
        $c4 = "http://apple-uptoday.org/" ascii wide
        $c5 = "http://apple-search.info" ascii wide
        // c2 URL paths
        $d1 = "watch/?" fullword ascii wide
        $d2 = "search/?" fullword ascii wide
        $d3 = "find/?" fullword ascii wide
        $d4 = "results/?" fullword ascii wide
        $d5 = "open/?" fullword ascii wide
        $d6 = "search/?" fullword ascii wide
        $d7 = "close/?" fullword ascii wide
        // c2 URL parameters
        $e1 = "itwm=" fullword ascii wide
        $e2 = "text=" fullword ascii wide
        $e3 = "from=" fullword ascii wide
        $e4 = "itwm=" fullword ascii wide
        $e5 = "ags=" fullword ascii wide
        $e6 = "btnG=" fullword ascii wide
        $e7 = "oprnd=" fullword ascii wide
        $e8 = "itwm=" fullword ascii wide
        $e9 = "utm=" fullword ascii wide
        $e10 = "channel=" fullword ascii wide
    condition:
        MachO and (5 of ($a*) or any of ($b*) or any of ($c*) or 4 of ($d*) or 5 of ($e*))
}
